Doug Madory, Director of Internet Analysis at Oracle’s Internet Intelligence team, in his recent blog post addresses the paper’s claims. He said, “I don’t intend to address the paper’s claims around the motivations of these actions. However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017”.

SK Broadband, formerly known as Hanaro, experienced a brief routing leak on 9 December 2015, which lasted a little more than a minute. During the incident, SK’s ASN, AS9318, announced over 300 Verizon routes that were picked up by OpenDNS’s BGPstream service. This leak was announced exclusively through China Telecom (AS4134), one of SK Broadband’s transit providers.

Just minutes after that, AS9318 began transiting the same routes from Verizon APAC (AS703) to China Telecom (AS4134). The China telecom in turn began announcing them to international carriers such as Telia (AS1299), Tata (AS6453), GTT (AS3257) and Vodafone (AS1273), which resulted in AS paths such as:

… {1299, 6453, 3257, 1273} 4134 9318 703

Doug says, “Networks around the world who accepted these routes inadvertently sent traffic to Verizon APAC (AS703) through China Telecom (AS4134). Below is a traceroute mapping the path of internet traffic from London to address space belonging to the Australian government. Prior to this routing phenomenon, it never traversed China Telecom”.

He added, “Over the course of several months last year, I alerted Verizon and other Tier 1 carriers of the situation and, ultimately, Telia and GTT (the biggest carriers of these routes) put filters in place to ensure they would no longer accept Verizon routes from China Telecom. That action reduced the footprint of these routes by 90% but couldn’t prevent them from reaching those who were peering directly with China Telecom”.

Focus of the BGP hijack alerting

The common focus of BGP hijack alerting is looking for unexpected origins or immediate upstreams for routed address space. But traffic misdirection can occur at other parts of the AS path.

In this scenario, Verizon APAC (AS703) likely established a settlement-free peering relationship with SK Broadband (AS9318), unaware that AS9318 would then send Verizon’s routes exclusively on to China Telecom and who would in turn send them on to the global internet.

Doug said, “We would classify this as a peer leak and the result was China Telecom’s network being inserted into the inbound path of traffic to Verizon. The problematic routing decisions were occurring multiple AS hops from the origin, beyond its immediate upstream.

Thus, he adds that the routes accepted from one’s peers also need monitoring, which is a fairly rare practice. Blindly accepting routes from a peer enables the peer to insert itself into the path of your outbound traffic.